Secure key management in a high volume device deployment

1. A method of accessing a modem for use with a service provider, comprising: receiving an encrypted authentication token from the modem, the authentication token having a modem password stored in secure memory and being encrypted according to a public key, wherein the authentication token comprises at least one password and a session key; transmitting the encrypted authentication token to an authentication server; receiving a decrypted authentication token from the authentication server, the decrypted authentication token comprising the modem password; generating an authentication key and a privacy key from the modem password; configuring modem interfaces at least in part using the authentication token, the modem interfaces including a network management protocol interface; communicating with the modem using the network management protocol interface according to at least one of the generated authentication key and the privacy key; generating by the modem the authentication key and the privacy key at least in part from the modem password; wherein communicating with the modem using the network management protocol interface according to at least one of the generated authentication key and the privacy key comprises at least one of: authenticating communications received from the modem at least in part according to the authentication key; decrypting received communications at least in part according to the privacy key; transmitting communications to the modem at least in part according to at the authentication key; and transmitting communications to the modem encrypted at least in part according to the privacy key; wherein communicating with the modem using the network management protocol interface according to at least one of the generated authentication key and the privacy key comprises logging into the modem at least in part using the at least one password; wherein communicating with the modem using the network management protocol interface according to at least one of the generated authentication key and the privacy key further comprises configuring modem interfaces at least in part using the authentication token, including: generating configuration data; encrypting the configuration data according to at least a portion of the session key; transmitting the encrypted configuration data to the modem; wherein generating the configuration data comprises: generating a bitmap, the bitmap having a plurality of values, each of the plurality of values enabling one of a plurality of modem interfaces; encrypting the configuration data at least in part according to at least a portion of the authentication token comprises: encrypting the bitmap according to at least a portion of the session key of the authentication token; and wherein the modem decrypts the encrypted configuration data according to the at least a portion of the session key of the authentication token, and enables or disables the plurality of modem interfaces according to the plurality of values.

2. The method of claim 1 , wherein: the communications comprise a payload and a hash of the payload generated according to the authentication key; authenticating communications received from the modem at least in part according to the authentication key comprises: generating a hash of the payload according to the authentication key; and comparing the generated hash of the payload with the received hash of the payload; transmitting communications received from the modem at least in part according to the authentication key comprises: generating a hash of the payload according to the authentication key; and transmitting the payload and the generated hash of the payload.

3. The method of claim 1 , further comprising: the configuration data comprises an address of the modem; and the modem verifies the decrypted configuration data according to the address of the modem.

4. The method of claim 1 , wherein: the encrypted authentication token is received in a client of the service provider; the authentication token is encrypted according to a service provider public key; and the service provider public key is stored in secure storage of the modem.

5. The method of claim 4 , further comprising: receiving a configuration file in the modem, the configuration file comprising: a second service provider public key; an authentication token validity period; and a maximum number of logins.

6. The method of claim 5 , further comprising: determining if the second service provider public key of the received configuration file is different than the service provider public key stored in the secure storage; if the service provider public key of the received configuration file is different than the service provider public key stored in the secure storage: replacing the service provider public key stored in the secure storage with the second service provider public key of the received configuration file; generating a second authentication token, the second authentication token comprising: a second password; a second session key; and a hash of a secure shell (SSH) public key; tagging the second password, the second session key, and the hash of the SSH public key with a validity period, a maximum number of logins and an address of the modem; and encrypting the second authentication token with the second service provider public key.

7. The method of claim 5 , further comprising: determining if the received authentication token has expired; if the received authentication token has expired: generating a second authentication token, the second authentication token comprising: a second password; a second session key; and a hash of a secure shell (SSH) public key; tagging the second password, the second session key, and the hash of the SSH public key with a validity period, a maximum number of logins and an address of the modem; and encrypting the second authentication token with the second service provider public key.

8. The method of claim 5 , further comprising: determining whether the second service provider public key is in the received configuration file; and if the second service provider public key is not in the received configuration file, disabling access to the modem.

9. The method of claim 1 , wherein: the encrypted authentication token is received in a client of a security provider; the authentication token is encrypted according to an authentication server public key; and the authentication server public key is part of a software image of the modem.

10. The method of claim 9 , wherein receiving an encrypted authentication token from the modem comprises: receiving the encrypted authentication token via a temporary dedicated port opened by the modem.

11. The method of claim 10 , wherein receiving an encrypted authentication token from modem comprises: determining if the received authentication token has expired; if the received authentication token has expired: generating a second authentication token, the second authentication token comprising: a second password; a second session key; and a hash of a secure shell (SSH) public key; tagging the second password, the second session key and the has of the SSH public key with a validity period, a maximum number of logins and an address of the modem; and encrypting the second authentication token with a second authentication server public key.

12. An apparatus for accessing a modem for use with a service provider, comprising: a processor; a memory, communicatively coupled to the processor, the memory storing processor instructions comprising instructions for: receiving an encrypted authentication token from the modem, the authentication token having a modem password stored in secure memory and being encrypted according to a public key; transmitting the encrypted authentication token to an authentication server; receiving a decrypted authentication token from the authentication server, the decrypted authentication token comprising the modem password; and generating an authentication key and a privacy key from the modem password; configuring modem interfaces at least in part using the authentication token, the modem interfaces including a network management protocol interface; and communicating with the modem using the network management protocol interface according to at least one of the generated authentication key and the privacy key; wherein the modem also generates the authentication key and the privacy key at least in part from the modem password; wherein the processor instructions for communicating with the modem using the network management protocol interface according to at least one of the generated authentication key and the privacy key comprises processor instructions for at least one of: authenticating communications received from the modem at least in part according to the authentication key; decrypting received communications at least in part according to the privacy key; transmitting communications to the modem at least in part according to at least one of the authentication key and the privacy key; wherein the communications comprise a payload and a hash of the payload generated according to the authentication key; wherein the processor instructions for authenticating communications received from the modem at least in part according to the authentication key comprise processor instructions for: generating a hash of the payload according to the authentication key; and comparing the generated hash of the payload with the received hash of the payload; wherein transmitting communications received from the modem at least in part according to the authentication key comprises: generating a hash of the payload according to the authentication key; and transmitting the payload and the generated hash of the payload.